Menu

Vimeo account takeover

A while back I was playing around with the OAuth2 spec and discovered a flaw in how Vimeo associates Facebook accounts. Their Facebook connect callback URL was vulnerable to a Cross Site Request Forgery, allowing an attacker to connect their Facebook account with a victim's Vimeo account.

Background

If you try to connect a Facebook account to your Vimeo account, Vimeo sends you to the following URL:

Once you accept the authorization prompt, Facebook returns an HTTP 302, redirecting you back to Vimeo's redirect_uri along with a code that Vimeo uses to access your Facebook info and associate the accounts.

Along with the code, Facebook sends back the state value from the URL above so that Vimeo can verify that the callback request is authentic and originated from the same browser that started the flow.

Vimeo correctly set a state parameter, but used code similar to the following to verify the state: